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(57) Abstract 

Data exchange occurs between the CRYPTO unit (10) 
and the OPC (12), where OPC designates the Cryptographic 
Operations Center. A secure header message (234) is sent from 
the CRYPTO unit (10) to the OPC (12) in order to identify 
and authenticate the CRYPTO unit (10). Following a secure 
header message (234), one or more secure requests or usage 
reports are sent in secure messages (236) from the CRYPTO unit 
(10) to the OPC (12). Responsive to the secure request and/or 
report the OPC (12) responds with one or more secure OPC 
command messages (238) from the OPC (12) to the CRYPTO 
unit (10). such as downloading credit to the CRYPTO unit (10). 
The received credit is used by the CRYPTO unit (10) in a data 
package routine to decrypt data. 
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SECORE COMMUNICATION SYSTEM 
WITH CROSS LINKED CRYPTOGRAPHIC CODES 



Field of the Invention" 



The present invention relates to the field of cryptographic 
communications systems, and particularly to a method and apparatus for sending 
and receiving encrypted signal packets in a secure cryptographic 
communications system. A co-pending application assigned to the same assignee 
as the present invention, entitled tt ENCRYPTED DATA PACKAGE RECORD for USE IN 
REMOTE TRANSACTION METERED DATA SYSTEM" is filed on even date herewith. 

Background of the Invention 

Systems for metering information use are known. For example, see U.S. 
patent 4,827,508 to Shear, or U.S. patent 5,010,571 to Katznelson in which 
access to an encrypted CD ROM database, is metered. Briefly, a CD ROM 
containing an encrypted database of interest to a user is distributed 
typically at nominal cost or at no cost. A user terminal includes a host 
computer, a CD ROM reader, and a remote cryptographic control unit which is 
provided with stored cryptographic keys needed to access to. the database. The 
amount of actual data use, i.e. the retrieval and decryption of data from the 
CD ROM, is metered locally and recorded as a stored data usage record. The 
charge for data access may be either in accordance with the amount of data 
decrypted, or in accordance with price information recorded in the respective 
data headers of each individual data package.. 

The local stored data usage record is reported (uploaded) by telephone 
modem or other telecommunications link from a remote user terminal, such as 
a host personal computer containing the remote cryptographic control unit, to 
a cryptographic operations center. Each remote cryptographic control unit has 
a secret stored key, unique to that remote user terminal. Communication 
between the user terminal and the cryptographic operations center is protected 
by encryption using the secret key, which is stored in a secure memory in the 
cryptographic control unit. The secret key for each user is also stored in 
the cryptographic operations center. When a remote user terminal calls in and 
identifies itself, the cryptographic operations center looks up the 
corresponding user secret key; which is then used in a secure subsequent 
communication data exchange between the remote user terminal and the 
cryptographic operations center. 
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Also stored in the cryptographic operations center are the various 
cryptographic keys corresponding to the available CD ROM database titles The 
user secret key is also used to secure the delivery of secret database keys 
from the cryptographic operations center to the user terminal for a desired 
CD ROM database, .usually upon the first encountering a new CD ROM title 

As indicated, the remote cryptographic control unit reports data usaae 
by telephone mode.. . After. ^ usage report is 3 uccessfully uploaded to 
the cryptographic operations center, the user is then billed, charoed or 
debited for the actual database usage, based on the content of the upload^ 
data usage report. Thus, rather than being required to purchase an entire CD 
ROM database, the user pays only for the amount of data actually used or 
decrypted from the CD ROM. 

Typically, the remote cryptographic control unit in the user terminal 
contains one or more credit registers. As each data purchase is made and 
recorded as a purchase log, a debit is made from the appropriate credit 
register. The credit register limits the amount of data which may be 
decrypted before requiring downloaded credit from the cryptographic operations 
center. The purpose of the credit register is to prevent unlimited access to 
the database without reporting the purchase logs and paying for data usage 
and limited off line access to credit. If the available credit is exhausted' 
no further data decryption is allowed until hew credit is downloaded to the 
user terminal. Past data usage is reported by the user terminal to the 
cryptographic operations center in a usage report consisting of multiple 
purchase logs (stored data usage records) . 

The telephone communication channel between the user terminal and the 
cryptographic operations center is presumed not to be secure against 
electronic eavesdroppers who may record and study data exchanges. Therefore 
the uploaded usage report containing purchase logs, and the downloaded credit 
transaction functions are system features subject to attack by pirates to 
avoid payment. 



For example, a pirate might attempt to record, and later repeat the 
previous transmissions of either the user terminal or the cryptographic 
operations center (also known as an echo attack). -That is. a pirate might 
simulate the cryptographic operations center, i.e. act as imooster to 
download fresh credit to the user terminal. In another form of a'ttack ' the 
pirate might simulate the output of the user terminal in order to transmit a 
false record of purchases to the cryptographic operations center. 

Therefore, it is critical that both the remote cryptographic control 
unit in the user terminal, and the cryptographic operations center, accurately 
authenticate and cross check messages from each other when purchase logs are 
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uploaded, or any secure command is executed, such as downloaded credit if 
any irregularity is detected, the communication session is terminated 
interlocking cross checks reduce the chance that a pirate can use the 
cryptographic control unit against the system. In particular, it is desired 
to harden the system against tampering by making it difficult to reorder 
packets within a message. 

Typically, a message containing a plurality of packets is encrypted 
using, the cipher block chaining (CBC) mode of the data encryption standard 
u " • In additi ° n ' «*• DBS algorithm is used to generate a message 
authentication code (MAC) ,. also called a manipulation detection code (m£> 
over each packet to detect tampering of the data within a packet. Neither of 
the foregoing features protects generally against all reordering of packets 
anywhere within a multiple packet message. Prior art MAC techniques cover one 
packet and do not protect against the reordering of packets. In the CBC mode 
of DES. the present block of clear data is dependent only on the two .previous 
blocks.of cipher data being correctly received, a feature designed to prevent 
propagation of received errors in CBC mode. 

Furthermore, the cryptographic processes used for data encryption and 
those used for MAC computation are typically independent of each other Thus 
while a MAC code and CBC encryption mode provide some security against message 
packet alteration, neither a MAC code nor a CBC encryption process alone or 
m combination protects against packet reordering within a message generally. 

Summary of the Invention 

^The present invention is embodied in a communication system including 
a method and apparatus for communication between a user terminal containing 
a remote cryptographic control unit (CRYPTO unit) and a cryptographic 
operations center (OPC) . Specifically, it is desired to implement a MAC code 
in a multiple packet message communication which will detect alterations in 
the form of packet reordering. 

In particular, a first cryptographic code key is used to encrypt a first 
plurality of signal packets. A second cryptographic code key is used to 
encrypt the encrypted first plurality of signal packets to form an appended 
MAC The initial vector for computing the MAC for a given packet is the last 
encrypted data block of the previous packet encrypted with the first 
cryptographic code key. In such manner, the encryption of the data and the 
computation of the MAC are cross linked. Each MAC is not only a function of 
the present packet, but also a function of all the previous packets, thereby 
providing an increased level of security against signal tampering by 
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reordering of packets. 

Brief Description of the Drawings 

Fisure 1 is a block diagram of a system for reporting metered use of 
encrypted information embodying the present invention. 

Figure 2 is a block diagram illustrating the communication protocol 
between a remote CRYPTO unit and an OPC in accordance with the present 
invention . F cacnc 

Figure 3 is a flow chart diagra« illustrating a method for generate 
a secure header in a remote CRYPTO unit in accordance with the present 
invention. 

Figure 4 is a flow chart diagram illustrating a method and apparatus for 
recexvxng a secure header in an operations center in accordance with the 
present invention. 

Figure 5 is a flow chart diagram illustrating a method and apparatus for 
generating a secure request message and a secure report usage message in a 
remote CRYPTO unit in accordance with the present invention. 

Figure 6 is a diagram partially in block form illustrating the packet 
format of a secure message generated in a remote CRYPTO unit in accordance 
with the present invention. 

Figure 7 is a flow chart diagram illustrating a method and apparatus for 
receiving a secure request message and a secure report message in an operation 
center . 

Figure 8 is a flow chart diagram illustrating, a method 'and apparatus for 
preparing secure commands in an operation center in accordance with the 
present invention. 

Figure 9 is a diagram partially in block form illustrating the packet 
format for a secure message in an operation center in accordance with the 
present invention. 

Figure 10 is a flow chart diagram illustrating a method and apparatus 
for receiving secure commands in a remote CRYPTO unit in accordance with the 
present invention. 

Figure 11A is a diagram partially in block form illustrating the data 
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format and decryption of an encrypted database. 

Figure iib is a flow chart diagram illustrating the use of remote 
transaction request during a data purchase in the metered decryption of an 

encrypted database. 

Figure 12 is a' flow chart diagram illustrating a method and apparatus 
for generating a remote transaction request in a remote CRYPTO unit in 
accordance with the present invention. 

Figure 13 is a flow chart diagram illustrating a method and apparatus 
for receiving a remote transaction request in an operation center embodying 
the present invention. 

Figure 14 is a flow chart diagram illustrating a method and apparatus 
for preparing a remote transaction response at an operations center in 
accordance with the present invention. 

Figure 15 is a flow chart diagram illustrating a method and apparatus 
for receiving a remote transaction response in a remote CRYPTO unit. 

Figure 16 is diagram of various data fields of the DB info record 
represented in memory in accordance with the present invention. 

Detailed Description 
A METERED DATA SYSTEM 

A system for metering and reporting access to an encrypted database is 
shown Figure 1. The system includes a user terminal is and an OPC 12. The 
user terminal 16 is typically a host personal computer containing CPU 18, CD 
ROM reader 20. modem 19, and a remote cryptographic control unit (CRYPTO unit 
or information meter) 10 coupled to a non-volatile RAM storage memory n 
The user terminals 16 is linked to the OPC 12 through a telephone line modem 
connection 17. 

in operation, information publisher 14 provides an encrypted database 
20, which may be in CD ROM form, to the user terminal 16. The user inserts 
the encrypted CD ROM into the CD ROM player 20. Using search and retrieval 
software in the user's host personal computer, CPU 18 performs searches on the 
encrypted CD ROM database. In order to use the results of the search, the CPU 
requests that the CRYPTO unit 10 decrypt the desired data package from the CD 
ROM player 20. 
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If the CRYPTO unit has been previously provided with the necessary 
database keys ( DB , £or the particular ^ 

sufficient credit in the internal credit registers to make the purchase thin 
the CR^o unit xo will decrypt the desired encrypted data. £^ ^ 
cost of the decrypted data .ill he subtracted fro. the internal credt 
register. In addition, a record of the purchase and decryption of thlH 
will be recorded in the non-volatile RAN 11 as a purchase^ 

Eventually, in order to replenish credit and report data usage the host 
16 "—I- the CRYPTO unit 10 will establish a ^leonon ^ 

connection to the OPC 12. ^ coatrol ^ ^ host pc ^ £££ ^ 

causes the CRYPTO unit 10 to call the OPC 12. typically -when the addition^ 
local credat is needed, 2) the amount of available memory space for 
the data usage records (purchase logs, in the non-volaTilT RAM H ZlTZ 
exhausted, 3, a fixed time period has elapsed, 4, a remote transaction revest 
x. xnxt.ated by the user (if the database allows a remote transaction ml 

tLTV ^ tiBe ' ° n line Vagdbnm ° f * Packa ^ - th. remo t ; 

transaction mode. 

in any event, the CRYPTO unit 10 commands the modem 19 to establish a 
telephone link 17 to the OPC 12. After a telephone link is established the 
CRYPTO unit 10 identifies itself to the OPC 12 either in a secure Lde 
message, or a remote transaction request. Following transmission of a secure 
header message, the CRYPTO unit 10 can report usage, or send a secure reouest 
for either a consumer identification number (consumer ID) or for a credit or 
refund. In response, the OPC in a secure command forwards a consumer ID. a 
credit, or a. refund to the CRYPTO unit 10. and any other commands it wishes 
to send at that time. The OPC 12 can respond to a remote transaction request 
By immediately approving the transaction. 

Following the data exchanges, the CRYPTO unit 10 will either be allowed 
to make further purchases of encrypted information or denied further 
purchases. At periodic intervals, the OPC 12 reports on information use to 
information publisher 14. 



CONVENTIONS USED 



As used herein, the preferred encryption and decryption process is the 

Standard {DES> - BriSfly ' f ° r ^ * lect "°" -de book mode 
(ECB, of DBS. an input block of 64 bits (8 bytes) is transformed into an 
output block of 64 bits in accordance with a 56 bit key. For decryption the 
reverse process is carried out. transforming 64 input bits to 64 output bits 
using the same 56 bit key. DBS keys are typically represented in 64 bit 8 
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byte quantities, with each byte having seven bits plus one parity bit or 56 
key bits plus 8 parity bits. As used herein, performing an encrypted keyload 
of a variable under a secret key means to encrypt {or decrypt) that variable 
(usually a key) under the secret key to generate another key. Encryption may 
be performed under a single key. or under multiple keys, such as a triple key 
set. Unless otherwise stated, encryption or decryption shall mean ECB mode 
of DBS encryption or decryption under a triple key set. For triple key 
encryption, a. key set of three keys are used to encrypt a variable using DBS 
as follows: encrypt with key 1, decrypt with key 2, and encrypt with key 3 
Triple key decryption is the reverse - decrypt with key 3, encrypt with key 
2, and then decrypt with key l. ' 

As used herein, CBC shall, mean a cipher block chaining mode with an 
initial vector, such as the cipher block chaining mode of the DBS standard 
using an initial vector, IV. m going from a triple key load of a triple key 
from either a triple message key or a single message key, the convention will 
be as follows: output key 1 is derived from the application of key 1, key 2 
key 3 encrypted, decrypted and encrypted respectively in that order (for 
encryption) . output key 2 is derived from the application of key 3. key 2. key 
1. encrypted, decrypted and encrypted - respectively in that order (for 
encryption), and output key 3 is derived from the application of key 2. key 
l, key 3, encrypted, decrypted and encrypted in that order (for encryption) 
Also, unless otherwise stated, the IV for a CBC DBS encryption or decryption 
shall be zero. 

PACKET COMMUNICATIONS PROTOCOL 

Figure 2 illustrates the data exchange protocol between the OPC 12 and 
the CRYPTO unit 10. First, a secure header message 234 is sent from the 
CRYPTO unit 10 to OPC 12 which serves to identify and authenticate the CRYPTO 
urnt 10. Following a secure header message 234, one or more secure requests 
or usage reports are sent in secure messages 236 from the CRYPTO unit 10 to 
the OPC 12. Responsive to the secure request and/or report, the OPC 12 
responds with one or more secure OPC command messages 238 from the OPC 12 to 
the CRYPTO unit 10, such as downloading credit to the CRYPTO unit 10 The 
received credit is used by the CRYPTO unit 10 in a data package (DP setup) 
routine to decrypt data. 

Alternatively, the user at CRYPTO unit 10 may request a real time, on 
line purchase of a data package in a remote transaction, if the database 
permits such remote transaction mode. For this purpose, CRYPTO unit 10 issues 
a remote transaction request message 240 to the OPC 12. m a remote 
transaction request, the OPC 12 decides whether or not to approve the purchase 
and responds with a secure remote transaction response message 242 back to the 
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CRYPTO unit 10. All security functions such as authentication and the like 
are compressed into a single CRYPTO unit request and OPC response No credit 
register in the CRYPTO unit 10 is affected and no record of the purchase is 
recorded in the CRYPTO unit 10 non-volatile RAM. Following approval of the 
remote transaction request, the DP setup routine provides a key which is used 
to decrypt desired data. Figures 3 through 14 illustrate the foregoing 
message protocol in greater detail. 

PREPARE SECURE HEADER MESSAGE - CRYPTO UNIT 

The CRYPTO unit stores a secret key called a client key set CK in a 
battery backed volatile random access memory (RAM) 22. CK is unique to a 
given CRYPTO unit, m addition, the CRYPTO unit stores two fixed constants- 
a first fixed string 24 and a second fixed string 26. A meter id 30 
identifies the individual meter which the CRYPTO unit represents, a measure 
of current time is provided by a real time clock (RTC) 28 . 

Several communication keys, including a unit key (OK) , a transaction 
identification (TID), and a transaction verification key (TVK) are generated 
as follows. Fixed string 24 is encrypted under CK in encryptor 36, the result 
of which is used as a key to encrypt fixed string 26 in encryptor 38, forming 
OK. Real time from the real time clock 28 is encrypted in encryptor 40 under 
OK to form TID. TID is encrypted under CK in encryptor 42 to provide an 
intermediate key SA which in turn is used as a key to encrypt the meter 
identification 30 (ID) in encryptor 44 to form a transaction verification key 
(TVK) . Unless otherwise specified, encryption of a variable under a key set 
means a triple key DES block ECB encryption. 

To form a secure header packet, secure header data 32 is triple key CBC 
encrypted in encryptor 48 under the TVK using an IV equal to the TID 
insecure header data consisting of the Meter ID (identification number for the 
meter) 30, the Meter Version 34 (like a revision number for the integrated 
circuit implementation) , and the TID are sent in the clear-, a MAC (message 
authentication code or manipulation detection code) is calculated by 
assembling the insecure header data with encrypted header data, and triple key 
CBC encrypting the combination 52 in encryptor 54 under the OK to form a MAC 
Unless otherwise specified. CBC encryption uses triple key and an IV equal to 



zero 



The insecure header data, the encrypted header data from encryptor 48 
and the calculated MAC are assembled into a packet forming a secure header 
message and transmitted SO to the OPC. At the CRYPTO unit, the calculated 
secure header MAC is further encrypted in encryptor S6 under the TVK to form 
a checkblock 57 which is stored locally. 
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RECEIVE SECURE HEADER MESSAGE - OPC 

The secure header message 58 is received and processed as shown in 
figure 4. Client key database 60 contains the secret keys for al l of the 
users. of the system. Using the insecure header data for the Meter ID and the" 
Meter Version, the client key CK is looked up in the client key database 60. 
OK is replicated by encrypting the stored first fixed string 62 under CK in 
encryptor 64 and using the result, as the key to encrypt the second fixed 
string 66 in encryptor 68. Received insecure header data TID is encrypted 
under CK in encryptor 70 and the result SA used as the key to encrypt the 
meter ID in encryptor 72 to recreate TVK. The secure header MAC is encrypted 
in encryptor 74 under TVK to form a locally regenerated version of the 
checkblock 76 which is stored in the OPC. 

To recreate the secure header MAC at the OPC, the received secure header 
packet (except for the MAC) is encrypted in CBC encryptor 80 under UK as the 
key with IV equal to zero. The calculated MAC at the output of encryptor 80 
is compared to the received secure header MAC in comparator 76. If the MAC 
received from the CRYPTO unit is not equal to the MAC calculated by the OPC ( 
then the telephone connection is disconnected at step 82. However, if the MAC 
comparison 78 indicates equality, authenticity of the transmitting CRYPTO unit 
is presumed, and the process of receiving secure data is continued at step 84 

Encrypted secure data is decrypted in CBC decryptor 86 using an IV equal 
to TID; The data is processed at step 88. In particular, the OPC checks the 
present time, the report time and the expiration time for the CRYPTO unit. 
Also processed is the total untaxed usage, the total taxed usage, the tax 
collected, the tax rate and the message key used for each meter. Received 
values are checked against the records for the particular CRYPTO unit. Any 
detected errors are noted as irregularities warranting manual review of the 
consumer account. 

PREPARE SECURE REQUEST/REPORT - CRYPTO UNIT 

There are three types of messages as shown in Figure 5, generated by the 
CRYPTO unit to the OPC: REPORT USAGE, REQUEST CREDIT/REFUND and REQUEST 
CONSUMER ID. 

REPORT USAGE 



In REPORT USAGE, the totals and summaries of the purchase logs 100 
previously entered in the non- volatile RAM 11, each with an appended MAC and 
control signals, are forwarded to the OPC in the secure packets of a REPORT 
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UShG l meS i Sage - PUrchaSe lo * s a " transmitted without any encryption The 
purchase log entries forming the data usage report provide an audit trail to 
cross check total credit purchases. 

REQUEST A CONSUMER ID 

initially, a CRYPTO unit has no particular identity other than it* 
cUent key CK and its meter ID. However, before any transact 
conducted, an individual identity is needed from the o7c, S^t^ 
the user to a particular CRYPTO unit, and is used in future CMm 
«— . hefore any transactions are conducted, the ^UTT~d 
receives an assigned consumer ID which is stored locally in the CRYPTO unit 

REQUEST TOR CREDIT OR REFUND 

If a consumer ID has been previously assigned, then a secure request for 

l S ^; ecure reguest for a refund can seat f ~» crypto^" : 

in a SECURE REQUEST FOR CREDIT, the CRYPTO unit requests a financial 
transaction to deliver credit, typically from the user-s credit card a^L\ 
in a SECURE REQUEST FOR REFUND, the CRYPTO unit requests a f ZZ 1 
transact^ to refund previously delivered credit, typically to the user s 

credit card account. s 

SECURE REQUEST PACKET GENERATION 

is C^C^teT' ° f ^ ^ ^ **" 8eCUre reqUCStS ' S6CUre PaCket dat * » 
CBC enCrYPted a 94 under TVK using TID as the IV. The result in o 

encrypted packet data is assembled 96 with insecure packet data" 12 
encrypted » CBC encryptor 98 under UK, the output of which forms the ^ Zr 
the secure request packet. The encrypted packet data; and the insecure packet 
data and the generated MAC is assembled into a secure request message ^d 
forwarded 102 to the OPC. As indicated, above, the purchase logs X00 are "t 
combined w.tn any of the secure requests but are sent as a sT parate ^ 
stream to the OPC. only if the report usage command is executed. 

CRYPTO PACKET FORMAT 

Figure 6 illustrates the format of the secure packets which are sent 
from the CRYPTO unit to the OPC. Two consecutive packets 112 and X14 forming 
a se Cure CRYPTO request are shown. The first packet ia 2 is prec eded by ZZ 
bits 104 and followed by trailer bits 106 which are part of the high!, order 
session layer level of the protocol. Similarly, following packet 114 is 
framed by header bits 108 and trailer bits 110 which are part of the higher 
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order session layer level of the protocol. 

Each packet 112 and 114 contains a portion of clear data 116 and 122 
respectively which contains the insecure packet data. By way of example, each 
— o-f-crleai- data-portions—L-r6-aEa T.22" contain" 3 blocks of 8 bytes each, or 24 
bytes total. Following the clear data portions 116 and 122, are encrypted 
data DBS blocks 118. 120 and 128 (for packet 112) and DBS blocks 124, 126 and 
130 (for packet 114) respectively. 

A first encryption key TVK is used to encrypt the packet data, and a 
second encryption key OK is used to generate the packet mac. Both packet data 
and MAC generation use triple key DBS in CBC mode. The MAC encryption key is 
UK, with the IV equal to zero for each packet. The data encryption key is tvk 
with the IV equal to the previous encrypted DBS block, except for the first 
DES block 118 of the first packet 112, in which case the IV is TID. 

For the first DES block of each successive packet, the IV is the last 
DES block of the previous packet. That is. the IV for encrypting the first 
DES block 118 of packet 112 is TID. DES block 118 is then used as the IV for 
encrypting the next DES block 120, and so on to the last DES block of packet 
112. The last DES block of 128 of packet 112 is used as the IV to encrypt 
first DBS block 124 of the following packet 114. Within packet 114. DES block 
124 is used as the XV to encrypt DES block 126, and so on, through all of the 
DES blocks of packet 114. The last DES. block of packet 114 is used as the IV 
to encrypt the DES blocks of successive packets of the secure CRYPTO request. 

The respective MACs 132 and 134 for packets 112 and 114 are loaded as 
the last block of each packet. The key for computing the MAC is the unit key 
UK. The IV is set equal to zero for each MAC calculation. The MAC is 
computed over both the cleai^ta block 116 and the encrypted data DBS blocks 
118, 120, 128. For CBC encryption mode, the output of DES encryptor 136A is 
the IV for DES encryptor 136B, and so on through to the last DES encryptor 
136N. The final output of the last CBC DES encryptor 136N is loaded into 
packet 112 as the MAC 132 for packet 112. 

The MAC for the subsequent packet 114 is generated by setting the IV 
equal to zero at DES encryptor 138A and performing successive DES CBC 
encryptions over both the clear data 122 and the encrypted data DES blocks 
124, 126, 130. For CBC encryption mode, the output of DES encryptor 13 8A is 
the IV for DES encryptor 13 8B. and so on through to the last DES encryptor 
138N. The final output of the last CBC DES encryptor 138N is loaded into 
packet 114 as the MAC 134 for packet 114. 

In an alternate embodiment, the IV for DES encryptor 138A may be set 
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equal to the MAC 132 of the previous packet 112. In such manner, both the IV 
for data encryption and the IV for MAC calculation is passed from one packet 
to the next. 

RECEIVED SECURE MESSAGE - OPC 

The secure request or the report usage message 140 is received at the 
OPC and processed as in figure 7. To calculate the packet MAC, the secure 
message, except for the received MAC, is CBC encrypted in encryptor 144 under 
the UK. The resulting OPC calculated MAC is compared with the received packet 
MAC at step 142. if the supplied MAC is not equal to the calculated MAC, 
telephone connection is disconnected at step 145. However, if the supplied 
MAC is equal to the calculated MAC then secure data processing continues at 
step 146 to processing the received data step 148. Received encrypted secure 
data is CBC decrypted in decryptor 150 under TVK with IV equal to TID. 

If the received message consisted of a report usage, then the sum of the 
credit registers is compared to the sum of the taxed usage, untaxed usage, and 
tax collected to reconcile prior purchases. Also, the sum of the publisher 
registers is compared to the sum of the untaxed usage and taxed usage records 
to reconcile prior use. 

If the request was for a credit or refund, the OPC determines the credit 
status of the subscriber client before responding with a secure OPC command. 
Similarly, if the request was for a consumer ID, the status of prior assigned 
consumer ID, if any, is determined before responding with a secure OPC command 
for a new consumer ID. 

PREPARE SECURE OPC COMMANDS - OPC 

Secure OPC commands are encrypted as shown in figure 8. A new key, CDK, 
is generated by encrypting TID in encryptor 152 under TVK. The secure OPC 
command is generated by prependi n g checkblock 76 to the packet data 154 (Nth 
packet) at step 156. The resulting data is encrypted in CBC encryptor 158 to 
produce encrypted data for the present packet N. The IV for data, encryption 
is equal to 2ero for- the first packet, and equal to the last block of the 
preceding encrypted packet (N-l) for all successive packets. a MAC is 
generated over the encrypted packet in encryptor 160. in computing the MAC 
for the first packet, the IV is set equal to zero. For each successive 
packet, the IV for the MAC calculation is set equal to the last block of the 
encrypted packet preceding the present packet. The encrypted packet data and 
the computed MAC are assembled 162 into a secure OPC command message to the 
CRYPTO unit. 
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using the previous encrypted data as the IV for the mac links the MAC 
to all the previous packets. Using the previous encrypted data as the IV for 
the data decryption also links the checkblock and the data to all the previous 
packets. That is, the packets from the OPC must be passed to the crypto unit 
in the same order that they were prepared. Modification of the order of 
packets, removal of packets, modification of packet contents, and substitution 
of packets will be detected by the CRYPTO unit as a MAC comparison failure 



OPC PACKET FORMAT 



Figure 9 illustrates the format of the secure packets which are sent 
from the OPC to the CRYPTO unit. Two consecutive packets 172 and 174 forming 
a secure OPC message are shown. The first packet 172 is preceded by header 
bits 164 and followed by trailer bits 166 which are part of the higher order 
session layer level of the protocol. Similarly, the following packet 174 is 
framed by header bits 168 and trailer bits 170 which are part of the higher 
order session layer level of the protocol. Each packet 172 and 174 contains 
encrypted DBS blocks 176, 178 and 180 (for packet 172) and encrypted DBS 
blocks 186, 188 and 190 (for packet 174) respectively. 

A first encryption key CDK is used to encrypt the packet data, and a 
second encryption key TVK is used to generate the packet MAC. Both packet 
data and MAC generation use triple key DES in CBC mode. The IV for the first 
block 176 of the first packet 172 for both packet data and MAC generation is 
zero. For successive packets, the IV for MAC generation is cross linked to 
the encrypted data. The IV for data encryption is the previous encrypted DES 
block. For each successive packet, the IV for the first DES block is the last 
DES block of the previous packet. 

Specifically, the IV for encrypting DES block 176 of packet 172 is zero. 
DES block 176 is then used as the IV for encrypting the next DES block 178, 
and so on to the end of the packet 172. The last DES block of ibo of packet 
172 is used as the IV to encrypt DES block 186 of the following packet 174 
within the next packet 174, DES block 186 is used as the IV to encrypt DES 
block 188 , and so on to the end of the packet 174. The last DES block 190 of 
packet 174 is used as the IV. 191, to encrypt the DES blocks of the successive 
packet of the secure OPC message. 

As indicated, the key for computing the MAC is TVK. For the first 
packet 172, the IV is zero. For each successive packet, the IV is the 
encrypted data of the previous packet. For example, the IV, 181, for 
computing the MAC for packet 174 is the encrypted DBS block 180 of the 
previous packet 172. Similarly, the IV. 191, for the following packet is the 
encrypted DES block 190 of the previous packet 174. In such manner, the 
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resulting MAC is not independent for each packet, but instead is dependent on 
all the previous packets. The chaining of initial vectors for the mac 
calculation for one packet to the MAC calculation for next packet provides 
protection that the packets are in the proper order, and have not been 
reordered by an attacker. 

In further detail, the MAC 182 is computed over the encrypted data DBS 
blocks 176, 178, 180, with the IV equal to zero. The output of DES encryptor 
192A is the IV for DES encryptor 192B, and so on through to the last DES 
calculation 192N, The final output of the last CBC DES calculation 192N is 
loaded into packet 172 as the MAC 182 for packet 172. The MAC for the 
subsequent packet 174 is generated in a similar manner except that the IV for 
the first encryptor 194A is equal to the previous encrypted DES block 180. 
The output of DES encryptor 194A is the IV for DES encryptor 194B, and so on 
through to the last DES calculation 194N. The final output of the last DES 
calculation 194N is loaded into packet 174 as the MAC 184 for packet 174. 

RECEIVE SECURE OPC COMMANDS - CRYPTO UNIT 

The secure OPC command message packets 202 are received at the CRYPTO 
unit as shown in figure 10. CDK is recreated by encrypting TID in encryptor 
200 under TVK. 



To check the secure OPC message MAC at the CRYPTO, the secure packet 
. (except for the MAC) is encrypted in CBC encryptor 204 under TVK using an IV 
equal to zero for the first packet, and equal to the last DES block of the 
previous packet for successive packets. The calculated MAC at the output of 
encryptor 204 is compared to the received secure OPC message MAC in comparator 
206. If the MAC received from the OPC is not equal to the MAC calculated by 
the CRYPTO unit, then the telephone connection is disconnected at step 210 and 
an error flag is set. Error flags are reported to the OPC. on the following 
secure communication from the CRYPTO unit. However, if the MAC comparison 206 
indicates equality, processing of received secure commands is continued at 
step 208. 

The prepended checkblock and the rest of the secure OPC message is 
recovered by encrypting in CBC encryptor 220 under CDK with an IV equal to 
zero for the first packet, and equal to the last DES block of the previous 
packet for successive packets. The recovered checkblock selected at the 
output of encryptor 220 is compared to the previously stored checkblock in 
comparator 212. If the checkblock received from the OPC is not equal to the 
checkblock calculated by the CRYPTO unit, then the telephone connection is 
disconnected at step 216 and an error flag is set. However, if th e checkblock 
comparison 212 indicates equality, processing of received secure commands is 
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continued at step 214. 

The successful round trip return of the checkblock indicates to the 
CRYPTO unit that the OPC knows the client key CK and is responding to the 
secure header message last sent by the CRYPTO unit. 

Commands received in the secure OPC command are processed at step 218 
Typical commands are a clear operation, reset keys, write present time, write 
report time, write expiration time, write MDC key, write consumer ID, add 
credit, refund credit, load tax table, and reset password. The command to 
write, report time sets a future time for the CRYPTO unit to report to the OPC. 

The command to write expiration time sets a future time after which the 
CRYPTO unit will not function, unless the expiration time is reset to a later 
expiration time during a subsequent secure communication exchange with the 
OPC. A programmable expiration time is a precaution against the CRYPTO unit 
being used to avoid payment for decrypted data. The programmable expiration 
time is also used to ensure the CRYPTO unit communicates with the OPC even if 
the CRYPTO unit is not used to make any purchases, a feature which allows the 
OPC to know which meters are operational for maintenance and support purposes, 
and forces a connection on an occasional basis as a security precaution. If 
the CRYPTO unit does not report to the OPC by the expiration time, no further 
data will be decrypted regardless of any other factor, such as available 
credit or database keys. 

DP SETUP - CRYPTO UNIT 

The data package setup routine (DP setup, shown in figure 11A) , uses the 
CRYPTO unit client key 22, locally stored credit and locally stored keys (or 
keys obtained in a remote transaction mode) , to prepare a key (DP or SU) for 
data decryption and to decrypt purchased data (260 or 266) . 

The data package 265 format within the encrypted CD ROM database is 
shown in figure 11A. The encrypted data package 265 includes a header 254 
which incorporates a data package message key 256, and optionally a subunit 
header 262" which incorporates a subunit message key 264. Each data package 
265 includes a clear text .abstract 258 and encrypted data 260 or 266 which 
have been encrypted using a data package (DP) key or a subunit (SU) key 
respectively. A clear text abstract 258 facilitates database searches prior 
to making a decision to purchase and decrypt the data to which the abstract 
relates. The header 254 and the subunit header 262 also contain a cost factor 
of the following respective encrypted data 260, 266. 
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Prior to the decryption of the data package within a database, a 
database information record (DB info record) 222 is sent to the crypto unit 
typically upon the first use of a database, in a separate communication 
session. The DB info record 222 is sent in the clear, except for the DB 
message key which is encrypted under the client key at. The DB info record 
further contains a price factor (352 in figure 16) for the database to which 
it relates. The actual purchase cost is the price factor from the DB info 
record 222 multiplied by the cost factor from the header 254 or 262. 

The DP setup routine operates as follows: The DB message key 256 from 
the DB info record 222 is encrypted using ac as the key in encryptor 252 to 
produce the DB keys, which is used as a key to encrypt the message keys 256 
in encryptor 268. The resulting clear DF key at the output of encryptor 268 
is used in normal mode as the key to decrypt data in decryptor 270, resulting 
in clear text. 

If the subunit option is used, then the DP key is further used as a key 
to encrypt the subunit message key 264 in encryptor 272 to provide a subunit 
key SO. The resulting clear subunit key SO is then used as the key to decrypt 
the encrypted subunit data 266 in decryptor 274 resulting in clear text. 

In the normal mode, the DP key (as the input to decryptor 270) is a 
single key. However, if the subunit option is used, the DP key (as the input 
to decryptor 272) is a triple key and the subunit key SU is a single key A 
single key process for final data decryption in both the normal mode and 
subunit option mode is desirable because a single key decryption process runs 
faster than a triple key decryption process, making the single key process 
preferable unless the extra security of a triple key is needed. 



SUBUNIT OPTION 



Typically a separate encryption code is used for each seoarate data 
package and a separate charge is made for each decrypted data package The 
subunit option is useful in cases where there are many small data packages and 
it is desired to encrypt each data package with a separate key. 

For example, assume that the data package 265 is a mailing list. Each 
mailing address record is too small to justify a separate header containing 
an encryption/decryption key, yet it is desired to encrypt each separately and 
charge for each separately when each data record is decrypted from the mailing 
list. In such case, the encryption keys might use more memory than the data 
itself, resulting in inefficient data storage. Therefore, the subunit message 
key may be shortened to 40 bits for example. A subunit key. shorter than the 
data package key is a compromise between the competing values of data storage 
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efficiency and cryptographic security. In the embodiment shown, the subunit 
message key is implied from the data storage structure. 

The subunit message key 264 is formed by using the data address 263 
within the data package 265 a key. The data address 263 is masked to match 
the length of the desired subunit message key 264 . By using the address of 
the desired encrypted data as the encrypted subunit message key (to be 
encrypted under the DP key) , no memory space is needed to store encrypted 
subunit message keys . 

A flow chart of the logic for using the DP setup routine in remote 
transaction mode (RTM) is shown in figure UB. Upon entering DP setup at step 
334, the CRYPTO checks the DB info record at step 336 to determine whether the 
database provider allows RTM. If the DB info record does not allow RTM, and 
the user requests RTM, the program aborts at step 338A. If the user does not 
request RTM at step 338A, the standard DP setup routine is run at step 340. 
If the user does not request RTM at step 338, the standard DP setup routine 
is run at step 340. if the user does request RTM at step 338, RTM is entered. 
After returning from an approved remote transaction in RTM, the standard DP 
setup routine is entered at step 340. A description of the messages exchanged 
in RTM is described in conjunction with figures 12, 13, 14 and 15, below. 

After DP setup 340, the cost of the data package is? debited from a 
credit register and a purchase log entry is made in the non-volatile RAM at 
step 342, if the data package was purchased using local credit, if the data 
package purchase price was paid in a remote transaction, the credit register 
is not changed at step 342, and a purchase log entry is not made in the non- 
volatile RAM. Thereafter, the desired data package is decrypted at step 344. 

Figure 12 shows the remote transaction request generation at the CRYPTO 
unit. Keys .UK and TID are generated as before. In addition two temporary 
keys SC, and SB are generated. In particular, SC is generated by encrypting 
the meter ID 30 in encryptor 276 under intermediate key SA. The purchase log 
278 from the non-volatile RAM memory is CBC encrypted under UK in encryptor 
280 to provide a purchase log MAC 281. The credit register is encrypted under 
temporary key SC in encryptor 284 to provide an encrypted credit register 
value 285. 

The meter version, meter ID, TID, purchase log with generated purchase 
log MAC, and the encrypted credit register are assembled 287 into a packet 
with its own MAC and sent as a remote transaction request 288 to the OPC. A 
MAC for the remote transaction request message is generated by CBC encryption 
of the message data in encryptor 286 under the temporary key SC. Temporary 
key SB is generated by encrypting the remote transaction request MAC in 
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encryptor 230 under the temporary key SC. 

At the OPC, the remote transaction request 292 is received and processed 
as shown in figure 13. As in the processing of a secure header message, CK, 
UK and SA are generated at the OPC. Temporary key SA is used to encrypt the 
meter ID in CBC encryptor 294 to form temporary key SC. The OPC calculates 
the MAC for the remote transaction message by CBC encryption in encryptor 298 
under SC. The calculated MAC is encrypted in encryptor 296 to form temporary 
key SB. 

The remote transaction MAC is calculated in CBC encryptor 298 under SC 
and compared to the remote transaction MAC from the CRYPTO unit in comparator 
300. If the remote transaction MAC calculated at the OPC is not equal to the 
CRYPTO unit supplied remote transaction MAC, the session is terminated at step 
302. Also, the purchase log MAC is calculated in CBC encryptor 304 under UK 
and compared to the purchase log MAC from the CRYPTO unit in comparator 3 06. 
If the purchase log MAC calculated at the OPC is not equal to the CRYPTO unit 
supplied purchase log MAC, the session is terminated at step 3io. 

The encrypted ' credit register contents are decrypted in decryptor 308 
under SC. The credit register contents in conjunction with the meter ID and 
purchase log are processed 312 to approve the current purchase. The credit 
of the subscriber is checked to determine credit capacity, and- if adequate, 
the authority to make the present data purchase is granted, if MAC 
comparisons 300 and 306 indicate equality, and the authority to make the 
present purchase is granted 312 then the remote transaction is approved at the 
output of AMD gate function 314. 

The approval of the remote transaction is processed 316 and communicated 
back to the CRYPTO unit as in figure 14. Also the DB keys are retrieved from 
the DB info record and are encrypted in encryptor 320. The DB keys 318 are 
encrypted in encryptor 320 under SB as the encryption key, and the enciphered 
DB keys are transmitted to the CRYPTO unit in a remote transaction response 



322 



The CRYPTO unit* receives and processes the remote transaction response 
as in figure 15. The remote transaction response is received 324 and 
decrypted in decryptor 326 under SB as the decryption key. The DB message 
keys from the OPC remote transaction response are compared 328 to the DB 
message keys from the DB info record 222, and if not equal, the transaction 
is aborted at step 330. 



If the comparison 328 indicates that the DB keys from the CRYPTO unit 
D3 info record are equal to the DB keys from the OPC supplied remote 



n 

WOW/42154 PCT/US9«/09382 

-19- 

transaction response, the DP setup routine continues at step 332. i n such 
manner, a real, time on line purchase of the data package is effected which 
permits continuation of the user's data session. 

DB INFO RECORD . 

As indicated abbve, the DB info record is sent to the user in a separate 
communication session. The DB info record, illustrated in figure is is 
stored in memory in the user terminal. The DB info record contains the DB 
message key 340 which is the DB key encrypted under the client key CK The 
other data fields of the DB info record, such as the price factor 352 
discussed above, are in the clear. The DB info record also contains 
additional fields useful in controlling access to encrypted databases. 

In particular, the consumer ID 342 from the DB info record is compared 
to the locally stored consumer ID previously received via the secure message 
(23B in figure 2) in response to a secure request (236 in figure 2) as 
described above. If the consumer ID from both sources do not match the 
CRYPTO unit will not use the stored DB info record 222. The foregoing feature 
permits special pricing to be offered to specif ic users, identified by their 
consumer ID. 

Additionally, the DB info record 222 contains a purchase window field 
344. The purchase window is the amount of time that the user may decode the 
purchased data. The purchase window can be set short, so as to effectively 
allow one time data decryption, up to a span of days, months or even to 
unlimited ability to decrypt the purchased data. 

A purchase permission field 346 defines whether the user «ay make a 
purchase in audit trail mode (off line) , or the remote transaction mode (on 
line) or both. In certain cases where the information publisher desires to 
control distribution, typically for a high value product, only remote 
transaction mode may be permitted. 

The DB info record also includes a start time field 346 and an 
expiration time field 350. The DB info record 222 is valid only between the 
start time 348 and the expiration time field 350. That is. before the start 
time 348 and after the expiration time 350 the CRYPTO unit will not use the 
DB info record 222. The foregoing feature permits more than one DB info 
record for the same database. In such manner, special pricing may be offered 
for specific periods, identified by the period defined between the start time 
348 and the expiration time 350. 



foregoing describes a comprehensive metered data and communication 
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syste* including remote transaction capability and using an encrypted data 
structure with flexible system control. 
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What is claimed is: 

1. In a cryptographic cotranuai cation system including first and second 
terminals, said first and second terminals being connected via a 
telecommunications link, said cryptographic communication system providing a 
message comprising a plurality of packets, including at least first and second 
packets, each of said first and second packets comprising a respective first 
and second plurality of encrypted data blocks and a respective first and 
second message authentication code, a method for securing said message between 
said first and second terminals, said method comprising: 

encrypting said message under a first cryptographic code key, using a 
cipher block chaining mode having a first initial vector input, to form 
said first and second plurality of encrypted data blocks; 

encrypting said first plurality of encrypted data blocks under a second 
cryptographic code key using said cipher block chaining mode having a 
second initial vector input for said first packet to form said first 
message authentication code; 

appending said first message authentication code to said first 
plurality of encrypted data blocks; 

encrypting said second plurality of encrypted data blocks under said 
second cryptographic code key using said cipher block chaining mode 
having a third initial vector input for said second packet to form said 
second message authentication code; 

selecting one of said first plurality of encrypted data blocks of said 
first packet as said third initial vector for said second packet for 
forming said second message authentication code; 

appending said second message authentication code to said second 
plurality of encrypted data blocks,- 

sending said message from said first terminal to said second terminal ; 

receiving said second packet including a received second plurality of 
encrypted data blocks and a received second message authentication 
code; 

encrypting said second plurality of encrypted data blocks under said 
second cryptographic code key using said cipher block chaining mode and 
said third initial vector input for said received second packet to form 
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a calculated second message authentication code; and 

selecting one of said first plurality of encrypted data blocks of said 
first packet as said third initial vector input. 

2. A method in accordance with claim l, further comprising: 

comparing said calculated second message authentication code with said 
received second message authentication code; and 

disconnecting said telecommunications link between said first and 
second terminals if said calculated second message authentication code 
is not substantially equal to said received second message 
authentication code. 



3. A method in accordance with claim 1, wherein said selected one of 
said first plurality of encrypted data blocks of said first packet comprises 
the last, of said first plurality of encrypted data blocks. 

4. A method in accordance with claim l, wherein said first initial 
vector equals zero. 

5. A method in accordance with claim 1, wherein said second initial 
vector equals zero. 

6. In a cryptographic communication system including first and second 
terminals, said first and second terminals being connected via a 
telecommunications link, said cryptographic communication system providing a 
message comprising a plurality of packets, including at least first and second 
packets, each of said first and second packets comprising a respective first 
and second plurality of encrypted data blocks and a respective first and 
second message authentication code, a method for sending said message between 
said first and second terminals, said method for sending comprising: 

encrypting said message under a first cryptographic code key, using a 
cipher block chaining mode having a first initial vector input, to form 
said first and second plurality of encrypted data blocks; 

encrypting said first plurality of encrypted data blocks under a second 
cryptographic code key using said cipher block chaining mode having a 
second initial vector input for said first packet to form said first 
message authentication code; 



appending said first message authentication code to said first 
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plurality of encrypted data blocks ; 

encrypting said second plurality of encrypted data blocks under said 
second cryptographic code key using said cipher block chaining mode 
having a third initial vector input for said second packet to form said 
second message authentication code,- 

selecting one of said first .plurality of encrypted data blocks, of said 
first packet as said third initial vector for said second packet for 
forming said second message authentication code; and 

appending said second message authentication code to said second 
plurality of encrypted data blocks. 

7. A method in accordance with claim 6, wherein said selected one of 
said first plurality of encrypted data blocks of said first packet comprises 
the last of said first plurality of encrypted data blocks. 

B. A method in accordance with- claim 6, -wherein said first initial 
vector equals zero. 

9. .A method in accordance with claim 6, wherein said second initial 
vector equals zero. 

10 . In a cryptographic communication system including first and second 
terminals, said first and second terminals being connected via a 
telecommunications link, said cryptographic communication system providing a 
message comprising a plurality of packets, including at least first and second 
packets, each of said first and second packets comprising a respective first 
and second plurality of encrypted data blocks and a respective first and 
second message authentication code, said first and secpnd packets being 
encrypted under a first cryptographic code key using a cipher block chaining 
mode and first initial vector input to form said first and second plurality 
of encrypted data blocks, said first plurality of encrypted data blocks being 
encrypted under a second cryptographic code key and a second initial vector 
said second plurality of encrypted data blocks being encrypted under said 
secona cryptographic code key using a cipher block chaining, mode and a third 
initial vector input for said second packet, a method for receiving said 
message between said first and second terminals, said method for receivinq 
comprising : 

receiving said second packet including a received second plurality of 
encrypted data blocks and a received second message authentication 
code ; 
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encrypting said second plurality of encrypted data blocks under said 
second cryptographic code key using said cipher block chaining mode and 
said third initial vector input for said received second packet to form 
a calculated" second message authentication code; and 

selecting one of said first plurality of encrypted data blocks of said 
first packet as said third initial vector input. 

11. A method in accordance with claim 10, further comprising: 

comparing said calculated message authentication code with said 
received message authentication code; and 

disconnecting said telecommunications link between said first and 
second terminals* if said calculated second message authentication code 
is not substantially equal to said received second message 
authentication code. 

12. A method in accordance with claim 10, wherein said selected one 
of said first plurality of encrypted data blocks of said first packet 
comprises the last of said first plurality of encrypted data blocks. 

13. A method in accordance with claim 10, wherein said first initial 
vector equals zero. 

14 . A method in accordance with claim io\ wherein said second initial 
vector equals zero. 

15 . In a cryptographic communication system including first and second 
terminals, said first and second terminals being connected via a 
telecommunications link, said cryptographic communication system providing a 
message comprising a plurality of packets, including at least first and second 
packets, each of said first and second packets comprising a respective first 
and second plurality of encrypted data blocks and a respective first and 
second message authentication code, a method for securing said message between 
said first and second* terminals f said method, comprising: 

encrypting said message under a first cryptographic code using a cipher 
block chaining mode to form said plurality of encrypted data blocks; 

encrypting said plurality of encrypted data blocks using a second 
cryptographic code using a cipher block chaining mode .to form said 
second message authentication code, said cipher block chaining mode 
having a respective initial vector input for each packet; 
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selecting one of said encrypted data blocks in said first packet as the 
initial vector for forming said message authentication code for said 
second packet following said first packet; 

sending said message from said first terminal to said second terminal; 

receiving said message including received first and second packets at 
said second terminal, and including received first and second plurality 
of encrypted data blocks and received second message authentication 
code ; 

encrypting said received second plurality of encrypted data blocks 
under said second cryptographic code key using said cipher block 
chaining mode and an initial vector for forming a calculated second 
message authentication code for said received second packet; and 

selecting one of said first plurality of encrypted data blocks of said 
first packet as said initial vector for said second received packet. 

16. A method in accordance with-.claim IS, further comprising: 

comparing said calculated second message authentication code with said 
received second message authentication code; and 

disconnecting said telecommunications link between said first and 
second terminals if said calculated second message authentication code 
is not substantially equal to said received second message 
authentication code. 

17. A method in accordance with claim 15, wherein said selected one 
of said first plurality of encrypted data blocks of said first packet as said 
initial vector for said second received packet comprises the last of said 
first plurality of encrypted data blocks. 

ia . In a cryptographic communication system including first and second 
terminals, said first and second terminals being connected via a 
telecommunications link, said cryptographic communication system providing a 
message comprising a plurality of packets, including at least first and second 
packets, each of said first and second packets comprising a respective first 
and second plurality of encrypted data blocks and a respective first and 
second message authentication code, a method for sending said message between 
said first and second terminals, said sending method comprising: 



encrypting said message under a first cryptographic code using a cipher 
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block chaining mode to form said plurality of encrypted data blocks; 

encrypting said plurality of encrypted data blocks using a second 
cryptographic code using a cipher block chaining mode to form said 
message authentication code, said cipher block chaining mode having an 
initial vector input; and 

selecting one of said encrypted data blocks in a given packet as the 
initial vector for calculating said message authentication code for the 
packet following said given packet. 

19. A method in accordance with claim 18, wherein said selected one 
of said first plurality of encrypted data blocks of said first packet as said 
initial vector for said second received packet comprises the last of said 
first plurality of encrypted data blocks. 

20 . In a cryptographic communication system including first and second 
terminals, said first and second terminals being connected via a 
telecoiraitunications link, said cryptographic communication system providing a 
message comprising a plurality of packets, including at least first and second 
packets, each of said first and second packets comprising a respective first 
and second plurality of encrypted data blocks and a -respective first and 
second message authentication code, said message being encrypted under a first 
cryptographic code using a cipher block chaining mode to form said plurality 
of encrypted data blocks, said plurality of encrypted data blocks being 
encrypted using a second cryptographic code key using a cipher block chaining 
mode to form said second message authentication code, said cipher block 
chaining mode having a respective initial vector input for each packet, a 
method for receiving said message between said first and second terminals, 
said receiving method comprising: 

receiving said message including received first and second packets at 
said second terminal, and including received first and second plurality 
of encrypted data blocks and received second message authentication 
code ; 

encrypting said received second plurality of encrypted data blocks 
under said second cryptographic code key using said cipher block 
chaining mode and an initial vector for forming a calculated second 
message authentication code for said received second packet; and 



selecting one of said first plurality of encrypted data blocks of said 
first packet as said initial vector for said second received packet. 
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21. A method in accordance with claim 20, further comprising: 

comparing said calculated second message authentication code with said 
received second message authentication code; and 

disconnecting said telecoirammi cat ions link between said first and 
second terminals if said calculated second message authentication code 
is not substantially equal to said received second message 
authentication code. 

22. A method in accordance with claim 20, wherein said selected one 
of said first plurality of encrypted data blocks of said first packet as said 
initial vector for said second received packet comprises the last of said 
first plurality of encrypted data blocks. 

23 . In a cryptographic communication system including first and second 
terminals, said first and aecond terminals being connected via a 
telecommunications link, said cryptographic communication system providing a 
message comprising a.plurality of packets, including at least first and second 
packets, each of said first and second packets comprising a respective first 
and second plurality of encrypted data blocks and a respective first and 
second message authentication code, an apparatus for securing said message 
between said first and second terminals, said apparatus comprising: 

means for encrypting said message under a first cryptographic code key, 
using a cipher block chaining mode having a first initial vector input, 
to form said first and second plurality of encrypted data blocks; 

means for encrypting said first plurality of encrypted data blocks 
under a second cryptographic code key. using said cipher block chaining 
mode having a second initial vector input for said first packet to form 
said first message authentication code; 

means for appending said first message' authentication code to said 
first plurality of encrypted data blocks; 

means for encrypting said second plurality of encrypted data blocks- 
under said second cryptographic code key using said cipher block 
chaining mode having a third initial vector input for said second 
packet to form said second message authentication code; 

means for selecting one of said first plurality of encrypted data 
blocks of said first packet as said third initial vector for said 
second packet for forming said second message authentication code; 
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means for appending said second message authentication code to said 
second plurality of encrypted data blocks; 

means for sending said message from said first terminal to said second 
terminal; 

means for receiving said second packet including a received second 
plurality of encrypted data blocks and a received second message 
authentication code; 

means for encrypting said second plurality of encrypted data blocks 
under said second cryptographic code key using said cipher block 
chaining mode and said third initial vector input for said received 
second packet to form a calculated second message authentication code; 
and 

means for selecting one of said first plurality of encrypted data 
blocks of said first packet as said third initial vector input. 

24. An apparatus in accordance with claim 23, further comprising: 

means for comparing said calculated second message authentication code 
with said received second message authentication code; and 

means for disconnecting said telecommunications link between said first 
and second terminals if said calculated second message authentication 
code is not substantially equal to said received second message 
authentication code. 

25. An apparatus in accordance with claim 23, wherein said selected 
one of said first plurality of encrypted data blocks of said first picket 
comprises the last of said first plurality of encrypted data blocks. 

26. An apparatus in accordance with claim 23, wherein said first 
initial vector equals zero. 

27. An apparatus in accordance with claim 23. wherein said second 
initial vector equals zero. 

28. In a cryptographic communication system including first and second 
terminals, said first and second terminals being connected via a 
telecommunications link, said cryptographic communication system providing a 
message comprising a plurality of packets, including at least first and second 
packets, each of said first and second packets comprising a respective first 
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and second plurality of encrypted data blocks and a respective first and 
second message authentication code, an apparatus for sending said message 
between said first and second terminals, said apparatus for sending 
comprising: 

means for encrypting said message under a first cryptographic code key, 
using a cipher block chaining mode having a first initial vector input, 
to form said first and second plurality of encrypted data blocks; 

means for encrypting said first plurality of encrypted data blocks 
under a second cryptographic code key using said cipher block chaining 
mode having a second initial vector input for said first packet to form 
said first message authentication code; 

means for appending said first message authentication code to said 
first plurality of encrypted data blocks; 

means for encrypting said second plurality of encrypted data blocks 
under said second cryptographic • code key using said cipher block 
chaining mode- having a third initial vector input for said second 
packet to form said second message authentication code; 

means for selecting one of said first plurality of encrypted data 
blocks of said first packet as said third initial vector for said 
second packet for forming said second message authentication code; and 

means for appending said second message authentication code to said 
second plurality of encrypted data blocks. 

29. An apparatus in accordance with claim 28, wherein said selected 
one of said first plurality of encrypted data blocks of .said first packet 
comprises the last of said first plurality of encrypted data blocks. 

30. An apparatus in accordance with claim 28, wherein said first 
initial vector equals zero. 

31. An apparatus in accordance with claim 28, wherein said second 
initial vector equals zero. 

32. In a cryptographic communication system including first and second 
terminals, said first and second terminals being connected via a 
telecommunications link, said cryptographic communication system providing a 
message comprising a plurality of packets, including at least first and second 
packets, each of said first and second packets comprising a respective first- 
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and second plurality of encrypted data blocks and a respective first and 
second message authentication code, said first and second packets being 
encrypted under a first cryptographic code key using a cipher block chaining 
mode and first initial vector input to form said first and second plurality 
of encrypted data blocks, said first plurality of encrypted data blocks being 
encrypted under a second cryptographic code key and a second initial vector, 
said second plurality, of encrypted data blocks being encrypted under said 
second cryptographic code key using a cipher block chaining mode and a third 
initial vector input for said second packet, an apparatus for receiving said 
message between said first and second terminals, said apparatus for receiving 
comprising : 

means for receiving said second packet including a received second 
plurality of encrypted data blocks and a received second message 
authentication coder- 
means for encrypting said second plurality of encrypted data blocks 
under said second cryptographic code key using said cipher block 
chaining mode and said third initial vector input for said received 
second packet to form a calculated second message authentication code; 
and 

means for selecting one of said first plurality of encrypted data 
blocks of said first packet as said third initial vector input. 

33. An apparatus in accordance with claim 32, further comprising: 

means for comparing said calculated message" authentication code with 
said received message authentication code; and 

means for disconnecting said telecommunications link between said first 
and second terminals if said calculated second message authentication 
code is not substantially equal to said received second message 
authentication code. 

34. An apparatus in accordance with claim 32, wherein said selected 
one of said first plurality of encrypted data blocks of said first packet 
comprises the last of said first plurality of encrypted data blocks . 

35. An apparatus in accordance with claim 32, wherein said first 
initial vector equals zero. 

36. An apparatus in accordance with claim 32, wherein said second 
initial vector equals zero. 
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37 . In a cryptographic communication system including first and second 
terminals, said first and second terminals being connected via a 
telecommunications link, said cryptographic communication system providing a 
message comprising a plurality of packets, including at least first and second 
packets, each of said first and second packets comprising a respective first 
and second plurality of encrypted data blocks and a respective first and 
second message authentication code, an apparatus for securing said message 
between said first and second terminals, said apparatus comprising: 

means for encrypting said message under a first cryptographic code 
using a cipher block chaining mode to form said plurality of encrypted 
data blocks; 

means for encrypting said plurality of encrypted data blocks using a 
second cryptographic code using a cipher block chaining mode to form 
said second message authentication code, said cipher block chaining 
mode having a respective initial vector input for each packet; 

means for selecting one of said encrypted data blocks in said first 
packet as the initial vector for forming said message authentication 
code for said second packet following said first packet ; 

means for sending said message from said first terminal to said second 
terminal; 

means for receiving said message including received first and second 
packets at said second terminal, and including received first and 
second plurality of encrypted data blocks and received second message 
authentication code; 

means for encrypting said received second plurality of encrypted data 
blocks under said second cryptographic code key using said cipher block 
chaining mode and an initial vector for forming a calculated second 
message authentication code for said received second packet? and 

means for selecting one of said first plurality of encrypted data 
blocks of said first packet as said initial vector for said second 
received packet. 



36. 



An apparatus in accordance with claim 37, further comprising: 



means for comparing said calculated second message authentication code 
with said received second message authentication code; and 
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means for disconnecting said telecommunications link between said first 
and second terminals if said calculated second message authentication 
code is not substantially equal to said received second message 
authentication code. 

33. An apparatus in accordance with claim 37, wherein said selected 
one of said first plurality of encrypted data blocks of said first packet as 
said initial vector for said second received packet comprises the last of said 
first plurality of encrypted data blocks. 

40. • In a cryptographic communication system including first and second 
terminals, said first and second terminals being connected via a 
telecommunications link, said cryptographic communication system providing a 
message comprising a plurality of packets, including at least first and second 
packets, each of said first and second packets comprising a respective first 
and second plurality of encrypted data blocks and a respective first and 
second message authentication code, an apparatus for sending said message 
between said first and second terminals, said sending apparatus comprising: 

means for encrypting said message under a first cryptographic code 
using a cipher block chaining mode to form said plurality of encrypted 
data blocks; 

means for encrypting* said plurality of encrypted data blocks using a 
second cryptographic code using a cipher block chaining mode to form 
said message authentication code, said cipher block chaining mode 
having an initial vector input; and 

means for selecting one of said encrypted data blocks in a given packet 
as the initial vector for calculating said message authentication code 
for the packet following said given packet. 

41. An apparatus in accordance with claim 40, wherein said selected 
one of said first plurality of encrypted data blocks of said first packet as 
said initial vector for said second received packet comprises the last of said 
first plurality of encrypted data blocks. 

42. In a cryptographic communication system including first and second 
terminals, said first and second terminals being connected via a 
telecommunications link, said cryptographic communication system providing a 
message comprising a plurality of packets, including at least first and second 
packets, each of said first and second packets comprising a respective first 
and second plurality of encrypted data blocks and a respective first and 
second message authentication code, said message being encrypted under a first 
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cryptographic code using a cipher block chaining mode to form said plurality 
of encrypted data blocks, said plurality of encrypted data blocks being 
encrypted using a second cryptographic code key using a cipher block chaining 
mode to form said second message authentication code, said cipher block 
chaining mode having a respective initial vector input for each packet, an 
apparatus for receiving said message between said first and second terminals, 
said receiving apparatus comprising: 

means for receiving said message including received first and second 
packets at said second terminal, and including received first and 
second plurality of encrypted data blocks and received second message 
authentication code; 

means for encrypting said received second plurality of encrypted data 
blocks under said second cryptographic code key using said cipher block 
chaining mode and an initial vector for forming a calculated second 
message authentication code for said received second packet; and 

means for selecting one of said first plurality of encrypted data 
blocks of said first packet as said initial vector for said second 
received packet. 

43. An apparatus in accordance with claim 42, further comprising: 

means for comparing said calculated second message authentication code 
with said received second message authentication code; and 

means for disconnecting said telecommunications link between said first 
and second terminals if said calculated second message authentication 
code is not substantially equal to said received second message 
authentication code. 

44. An apparatus in accordance with claim 42. wherein said selected 
one of said first plurality of encrypted data blocks of said first packet as 
said initial vector for said second received packet comprises the last of said 
first plurality of encrypted data blocks. 
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